--- title: Avoid potential server side request forgeries (SSRFs) description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Static Code Analysis (SAST) > SAST Rules > Avoid potential server side request forgeries (SSRFs) --- # Avoid potential server side request forgeries (SSRFs) {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). (). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **ID:** `php-security/tainted-url-host` **Language:** PHP **Severity:** Error **Category:** Security **CWE**: [918](https://cwe.mitre.org/data/definitions/918.html) ## Description{% #description %} Server side request forgery (SSRF) is a type of exploit where an attacker abuses the functionality of a server to send HTTP requests to an arbitrary domain. SSRFs are dangerous because they can allow an attacker to bypass access controls, such as firewalls, to interact with internal resources. The rule is important because it protects your application from potential security vulnerabilities. It restricts the ability of potential attackers to trick your server into making requests to arbitrary URLs, which could lead to unauthorized access to sensitive data or systems. To avoid SSRF vulnerabilities, always sanitize user inputs that will be used in URLs. One way to do this is by using PHP's built-in `filter_var` function with the `FILTER_SANITIZE_URL` option. This will remove any illegal URL characters from the input. Additionally, avoid using user input directly in the construction of URLs. Instead, use a base URL that you control, and append sanitized user input to it. For example, use `$base_url = 'https://www.domain.tld/';` and `$path = filter_var($_GET['url'], FILTER_SANITIZE_URL);` to create a safe URL. ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```php